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(57) For use with a network having server sites ca¬ 
pable of being browsed by users based on identifiers 
received into the server sites and personal to the users, 
alternative proxy systems for providing substitute iden¬ 
tifiers to the server sites that allow the users to browse 
the server sites anonymously via the proxy system. A 
central proxy system includes computer-executable 
routines that process site-specific substitute identifiers 
constructed from data specific to the users, that trans¬ 
mits the substitute identifiers to fhe server sites, that re¬ 


transmits browsing commands received from the users 
to the server sites, and that removes portions of the 
browsing commands that would identify the users to the 
server sites. The foregoing functionality is performed 
consistently by the central proxy system during subse¬ 
quent visits to a given server site as the same site spe¬ 
cific substitute identifiers are reused. Consistent use of 
the site specific substitute identifiers enables the server 
site to recognize a returning user and, possibly, provide 
personalized service. 
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Description 

TECHNICAL FIELD OF THE INVENTION 

The present invention is directed, in general, to net¬ 
works and, more specifically, to a system and method 
that allows a user to browse personalized server re¬ 
sources on a network anonymously. 

BACKGROUND OF THE INVENTION 

The Internet is a well-known collection of networks 
(a g., public and private data communication and multi- 
media networks) that work together (cooperate) using 
common protocols to form a world wide network of net¬ 
works. 

In recent years, the availabilily of more efficient, re¬ 
liable and cost-effective computers and networking 
tools have allowed many companies and individuals 
(collectively, "users”) to become involved in an aver 
growing electronic marketplace. The immeasurable 
gains in technology experienced by the computer indus¬ 
try overall have allowed these users to rely on commer¬ 
cially available computers, such as personal computers 
(’PCS”), to meet their information processing and com¬ 
munication needs. To that end. PC manufacturers equip 
most PCS with an interface that may be used for com¬ 
munication over networks, such as the Internet 

The Internet continues to increase iis position as an 
integral place for businesses that offers information and 
services to potential customers. Popular examples ol 
such businesses are news providers (e.g., www.cnn. 
com (the Cable News Network), www.nytimes.com (the 
New York Times), www.wsj.com (the Wall Street Jour¬ 
nal), www.lt.com (Financial Times Magazine), www. 
businessweek.com (Business Week Magazine)); car 
manufacturers (e.g.. www.ford.com/us (the Ford Motor 
Company), www.gm.com (the General Motor Compa¬ 
ny), www.toyota.com (the Toyota Motor Company)); 
book stores (e.g., www.amazon.com (Amazon.com 
books)); software providers (e.g., www.microsoft.com 
(the Microsoft software company)) and many more. 

Most often, such a business sets up a home page 
on the World Wide Web (a “web-site,' the World wide 
Web is a logical overlay of the Internet). The web-site 
constitutes an electronically-addressable location that 
may be used for promoting, advertising and conducting 
business. Potential electronic customers use web- 
browsers (e.g., NETSCAPE NAVIGATOR®, MICRO¬ 
SOFT EXPLORER®, etc.) to access the information of¬ 
fered on those web-sites. 

An increasing number of web sites offer personal¬ 
ized services that may include "personalized web pag¬ 
es" customized to a user's interests, with hyper-links (a 
reference or link from some point in one hypertext doc¬ 
ument to some point in another document or another 
place in Ihe same document - often displayed in some 
distinguishing way (e.g., in a different color, font or 


style)) and displayed messages tailored according to 
the user’s preferences. Such preferences can be ascer¬ 
tained by having a user establish an account with that 
web-site. This allows the web-site to store information 
5 about the user's previous visits, either by tracking the 
hyper-links the user followed or through explicit dialogs 
with the user. For example, the Wall Street Journal pro¬ 
vides a "personalized journal' to each user, where the 
sequence and selection of sect bns is customized. Inor- 
10 der to open an account, the user typically has lo com¬ 
plete a form electronically, providing a user name, a 
password, an electronic-mail ("e-mail") address, etc. 
The latter is ofien used by the web-site to send back 
information not provided on the web-site itsell to the us- 
<£ er. 

Given the inherent lack of privacy of electronic com¬ 
munication over the Internet generally, and, particularly, 
Ihe World Wide Web, it has long been felt that a system 
lhat could ensure private electronic communication 
would be highly advantageous. As an example ol the 
problem, consider the plight of a customer that would 
like to browse the World Wide Web in a safe and private 
(anonymous) manner, visiting sites that provide person¬ 
alized service. The cuelomer would like to establish ac¬ 
counts on web-sites without revealing his true identity, 
and without reusing the same user names, passwords, 
tor multiple sites. Customers should refrainfrom reusing 
the same user names and passwords at multiple sites 
lo avoid a security breach at one site to aflect other sites; 
additionally, refraining Irom using such user names and 
passwords limits the ability of multiple sites from collud¬ 
ing to combine customer information and build dossiers 
on particular customers. 

Typically, the customer visits many ol these web¬ 
sites, and inventing and remembering new user names 
and passwords for each web-site becomes tedious. 
Moreover, many of these web-sites require the custom¬ 
er to include his e-mail address with his user name and 
password -- by providing his e-mail address, the cus¬ 
tomer reveals hiG identity. 

In addition, thereare commercial products available 
lhat allow web-sites to track their clients and visitors. 
Such tracking can be made even when no voluntary in¬ 
formation is provided by the user and no form is filled 
out. Examples of such systems are “Webreporler," 
which is available from OPENMARKET, INC., and 
■SiteTrack,' which is available from GROUP CORTEX, 
whose advertisement reads as follows: 

"Identify who is visilingyour site. Record the actual 
number of people that visit. Find which links they follow 
and trace their complete path. Learn which site users 
came from and which site they depart to...' 

These products are made possible because the hyper¬ 
text transport protocol ('HTTP-prolocol'), on which the 
World Wide Web is largely based, allows specific infor¬ 
mation to flow back from Ihe user to the web-site. This 
can include for example, the user's e-mail address, the 
last web-site he came trom. and information about the 
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user's software and host-computer. Other pert inent user 
information may be sent by the web-site to the user 
browser using what are commonly referred to as 'cook¬ 
ies" (pieces of information that web-sites may store at 
the user's browser). Oi subsequent visits to the web¬ 
site, the user's browser sends back information to the 
web-site without the user's knowledge. 

From the foregoing, it is apparent that what is need¬ 
ed in the art is a scheme that provides anonymous per¬ 
sonalized web browsing that satisfies two seemingly 
conflicting objectives, namely, providing user privacy 
and user identification. 

SUMMARY OF THE INVENTION 

To address the above-discussed deficiencies of the 
prior art, the present invention introduces a proxy sys¬ 
tem that performs two basic functions: (1) automatic 
substitution of user-specific identifiers such that server 
sites (e.gr., web sites, junction points, intelligent portal 
devices, routers, network servers, etc.) within anetwork 
are prevented from determining Ihe true identity of the 
user browsing (accessing, locating, retrieving, reading, 
contacting, etc.) the sites; and (2) automatic stripping oi 
any other information associated wilh browsing com¬ 
mands that would allow the server sites lodetermine Ihe 
true identity of the user browsing the server sites. An 
important aspect of the present invention is that the fore¬ 
going functions are performed consistently by the proxy 
syslem during subsequent visits to the server site (Ihe 
same substitute identifiers are used on repeat visits to 
the server site; the server site also cannot distinguish 
between information supplied by the user and the proxy 
system, thus the proxy system is transparent to the serv¬ 
er site). The presenl invention therefore not only intro¬ 
duces anonymous browsing, but also personalization 
based upon the consistent use oi substitute identifiers. 

It should be noted that the term 'true,' as used here¬ 
in. means accurate, actual, authentic, at least partially 
correct, genuine, real ortho like, the term "or," as used 
herein, is inclusive, meaning and/or; and the phrase “as¬ 
sociated with’ and derivatives thereof, as used herein, 
may mean to include within, interconnect with, contain, 
be contained within, connect to or with, oouple loor with, 
be communicable with, juxtapose, cooperate wilh. inter- 
leave, be a property of, be bound to or with, have, have 
a property of, or the like. 

As is described in greater detail hereinbelow, the 
principles of the present invention address the conflict¬ 
ing objectives of user privacy and user identification de¬ 
scribed hereinabove by providing a proxy system, a pe¬ 
ripheral proxy system, and a melhod of providing sub¬ 
stitute identifiers to a server site that allow users to 
browse the same anonymously via the proxy system. 

In one embodiment, the present invention provides, 
for use with a network having server sites capable ot 
being browsed by users based on identifiers received 
into the server sites and personal to the users, a central 


proxy system for providing substitute identifiers to the 
server sites that allow the users to browse the server 
sites anonymously viathe central proxy system. Accord¬ 
ing to various embodiments of the present invention, the 
s substitute identifiers may be suitably constructed by the 
user site or a routine associated with the central site (ad¬ 
vantageous ways (functions) of constructing ihe substi¬ 
tute identifiers are described hereinafter). The exempla¬ 
ry central proxy system includes: (1) a compuler-exe- 
fo cutable first routine that processes (receives, accepts, 
oblains, constructs, produces, etc.) site-specific substi¬ 
tute identifiers constructed from data specific to the us¬ 
ers, (2) a computer-executable second routine that 
transmits the substitute identifiers to the server sites and 
thereafter retransmits browsing commands received 
from the users to Ihe server sites and (3) a computer- 
executable third routine that removes (and possibly sub¬ 
stitutes) portions of the browsing commands that would 
identify the users to the server sites. 'Include' and de¬ 
rivatives ihereof, as used herein, means inclusion with¬ 
out limitation. 

In one embodiment, the first of the two above-enu- 
meraled basic functions is performed exlernal to the 
central proxy system, while in another it is performed, 
at least in part, within the central proxy system. Thecen- 
iral proxy syslem processes and forwards the substitute 
identifiers as appropriate and directly performs the sec¬ 
ond of the above-enumerated basic functions by strip¬ 
ping other information that would tend to identity the us¬ 
ers. An Internet Access Provider ("ISP"), such as NET¬ 
COM®, or a networking service, such as AMERICA ON¬ 
LINE® or COMPUSERVE® can advantageously em¬ 
ploy the central proxy system to provide anonymous re¬ 
transmission of browsing commands by their users. 

It is important to understand that subsequent use of 
the proxy system by a “same" user to a 'same' server 
site will cause the proxy system to construct (directly or 
indirectly) and use the same (site-specific) substitute 
identifiers. Typically, the proxy system functions as a 
conduit communicating messages between the user 
and the server. Depending upon the embodiment, the 
proxy system may remove or substitute some portion of 
messages communicated by the user to the server to 
ensure anonymity. 

An alternative advantageous embodiment of the 
present invention may be provided in the form of a pe¬ 
ripheral proxy system designed for use with a network 
having a server site capable of being browsed by users 
based on identifiers received into the server site and 
personal to the users. The peripheral proxy system in¬ 
cludes: (1) a computer-executable first routine that con¬ 
structs a particular substitute identifier from data re¬ 
ceived from a particular user and (2) a compuler-exe- 
cutable second routine that transmits the particular sub¬ 
stitute identifier to the central proxy system, the central 
proxy syslem retransmitting the particular substitute 
identifier to the server site and thereafter retransmitting 
browsing commands received from the particular user 
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to the server site. According to this embodiment, the first 
routine may be associated, at least in part, with the user 
site, which distributes the basic functions of the presenl 
invention over multiple computer systems. 

The foregoing has outlined, rather broadly, pre¬ 
ferred and alternative features of the present invention 
so that those skilled in the art may better understand the 
detailed description of the invention that follows. Addi¬ 
tional features of the invention will be described herein¬ 
after that form the subject of the claims of the invention. 
Those skilled in the art should appreciate that they can 
readily use the disclosed conception and specific em¬ 
bodiment as a basis for designing or modifying other 
structures for carrying out the same purposes of the 
present invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present 
invention, reference is now made to the following de¬ 
scriptions taken in conjunction with the accompanying 
drawings, wherein like numbers designate like objects, 
and in which: 

FIGURE 1 illustrates a high-level block diagram ot 
an exemplary distributed network with which the 
principles of the present invention may be suitably 
used to provide eithera central ora peripheral proxy 
system for allowing users to provide substitute iden¬ 
tifiers to server sites ol a network to browse anon¬ 
ymously, 

FIGURE 2 illustrates a block diagram of an exem¬ 
plary sub-network ot the distributed network of FIG¬ 
URE 1 showing a central proxy system that includes 
each of a user site, a central proxy system and a 
plurality of illustrative server sites according la the 
principles of the present invention; 

FIGURE 3 illustrates an exemplary full screen win¬ 
dow of a proxy system according to the principles 
of the present invention; 

FIGURE 4 illustrates an exemplary full screen win¬ 
dow of an interface of a particular server site ac¬ 
cording to the principles ol the present invention; 
FIGURE 5 illustrates a block diagram of an exem¬ 
plary sub-network ol the distributed network ol FIG¬ 
URE 1 showing a peripheral proxy system that in¬ 
cludes each of a user site, a central proxy system 
and a plurality ol illustrative server site according to 
the principles otthe present invention; and 
FIGURE 6 illustrates a block diagram ol an exem¬ 
plary sub-network ot the distributed network of FIG¬ 
URE 1 including each ot a user site, a central proxy 
system and a plurality of illustrative server sites ac¬ 
cording to an exemplary marker proxy embodiment 
of the present invention. 


DETAILED DESCRIPTION 

Referring initially to FIGURE 1. illustrated is a high- 
level blockdiagram of an exemplary distributed network 
5 (generally designated 100) with which the principles of 
the present invention may be suitably used to provide 
either a central ora peripheral proxy system Distributed 
network 100 illustratively includes a plurality of compu¬ 
ter sites 105 to 110 that are illustratively associated by 
Internet 115. internet 115 includes the World Wide Web, 
which is not a network itself, but rather an "abstraction" 
maintained on top ol Internet 115 by a combination of 
browsers, server sites, HTML pages and the like. 

According to the illustrated embodiment, either 
proxy system provides substitute identifiers to one or 
more of a plurality of server sites 110 of network 100. 
The substitute identifiers allow user sites (and, hence, 
users (not shown)) to browse the server sites anony¬ 
mously via the proxy system. Consistent use of the 
same (site-specific) substitute identifiers at a particular 
serversite personalizes browsing. For purposes of illus¬ 
tration, site 105a is assumed throughout this document 
lo be a user site, site 110a is assumed to be a central 
proxy site, and site 110g is assumed to be a server site. 

Those of skill in the pertinent art will understand that 
FIGURE 1 is illustrative only, in other configurations, any 
of sites 105 to 110 may be a user, a central proxy or a 
serversite, or a combination of at least two of the same. 
"Server site,” as the term is used herein, is construed 
broadly, and may include any site capable of being 
browsed. 

Although the illustrated embodiment is suitably im¬ 
plemented for and used over Internet 115, the principles 
and broad scope of the presenl invention may be asso¬ 
ciated with any appropriately arranged computer, com¬ 
munications, multimedia or other network, whether 
wired or wireless, that has server sites capable of being 
browsed by users based on identifiers received into the 
server sites and that are personal to the users. Further, 
though the principles of the present invention are illus¬ 
trated using a single user site 105a, a single central 
proxy site 110a and a single server site 110g, alternate 
embodiments within the scope of Ihe same may include 
a plurality of user, central proxy or server sites. 

Exemplary network 100 is assumed to include a plu¬ 
rality of insecure communication channels that operate 
to intercouple ones of the various sites 105 to 110 of 
network 100. The concept of communication channels 
is known and allows insecure communication of infor¬ 
mation among ones ol the inlercoupled sites (the Inter¬ 
net employs conventional communication protocols that 
are also known). A distributed network operating system 
executes on at least some ot sites 105, 110 and may 
manage the insecure communication of information 
therebetween. Distributed network operating systems 
are also known. 

According to exemplary central proxy system 110a 

ol the present invention, which is discussed in detail with 
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reference to FIGURE 2, substitute identifiers may be 
suitably indirectly provided by central proxy system 
110a to server sile 11Og (recall that substitute identifiers 
allow user site 105a to browse server site 110g anony¬ 
mously). One or more site-specific substitute identifiers 
are suitably provided or constructed from data specific 
to user 105a either by user 105a or central proxy system 
110a. Central proxy system 110a includesa plurality ol 
executable roulines - a first routine processes site-spe¬ 
cific substitute identifiers constructed from data specific 
to user 105a (site-specific substitute identifiers may be 
suitably constructed by a central proxy site 110a, such 
as by a routine associated with central proxy system 
110a): a second routine transmits the substitute identi¬ 
fiers to server site 11 Og (possibly via a plurality of inter¬ 
mediate user and server sites 105, 110) and thereafter 
retransmits browsing commands received from user site 
105a to server sile 110g: and a third routine removes 
(and possibly substitutes) portions of the browsing com¬ 
mands that would identify ussr site 105a to server site 
11 Og (and the plurality of intermediate user and server 
sites 105, 110). The term "routine," as used herein, is 
construed broadly to not only include conventional 
meanings such as program, procedure, object, task, 
subroutine, function, algorithm, instruction set and the 
like, but also sequences ol instructions, as well as func¬ 
tionally equivalent firmware and hardware implementa¬ 
tions. 

Alternatively, according to an exemplary peripheral 
proxy system (generally designated 120) ot the present 
invention, which is discussed in detail with reference to 
FIGURE 5, that is designed for use with network 100 
again having a server site 110g capable of being 
browsed by a user site 105a based on substitute iden¬ 
tifiers received into server site 11 Og and that are per¬ 
sonal to user site 105a. Exemplary peripheral proxy sys¬ 
tem 120 includes first and second executable routines. 
The first routine, which may advantageously reside in 
user site 105a or, alternatively, in central proxy system 
110a, constructs a particular substitute identifier from 
data particular to user site 105a The second routine, 
which may alsoadvantageously reside in usersite 105a 
or, partially, in user site 105a and central proxy system 
110a, transmits the particular substitute identifier to cen¬ 
tral proxy syslem 110a. Cenlral proxy system iiQa then 
retransmits the particular substitute identifier to server 
site 110g and thereafter communicates ( e.g ., transmits, 
receives, etc.) information (e.g., browsing commands, 
data, etc.) between user site 105a to server site 110g. 

According to the illustrated embodiment, peripheral 
proxy system 120 differs from cent ral proxy system 110a 
by the location of execution of the first and second rou¬ 
tines. In tha illustrated central proxy embodiment, all 
routines are executed by central proxy system 110a, 
which means that all users must send user specific in¬ 
formation to central proxy system 110a. In the illustrated 
peripheral proxy system 120, the first and second rou¬ 
tines may be executed in a proxy subsystem associated 


with user site 105a. In one advantageous embodiment, 
usersystem I05a's user specific information (e.g.. user 
identification, passwords, e-mail addresses, telephone 
numbers, credit card numbers, postal address, etc.) re- 
5 main local, which will typically be more secure than cen¬ 
tral proxy system 110a. 

As set forth hereinabove, an ISP, such as NET¬ 
COM®, or a networking service, such as AMERICA ON¬ 
LINE® or COMPUSERVE®, can advantageously em- 
io ploy either exemplary proxy system (central or periph¬ 
eral) to provide anonymous communication (transmis¬ 
sion, reception, retransmission, etc) of browsing (e.g., 
accessing, selection, reading, etc.) commands between 
user sites and server sites. 

15 An important aspect of the above-identified embod¬ 
iments is the use of site-specific substitute identifiers to 
eliminate the need lor a user to have to "invent" a new 
user name and password for each server site which re¬ 
quires the establishment of an account (e.g., the NEW 
20 YORK TIMES, the WALL STREET JOURNAL, tha 
NEWSPAGE® and ESPN® sites). The illustrated em¬ 
bodiment generates secure substitute identifiers (e.g, 
alias user names, passwords, e-mail addresses, postal 
addresses, credit card numbers, etc.) that are distinct 
25 and secure for the user. The user provides one or more 
character strings (which may be random) once, which 
may advantageously be at the beginning of a proxy sys¬ 
tem session. The proxy system uses the same to gen¬ 
erate one or more secure site-specific substitute identi- 
30 tiers for the user --thereby freeing the user from the bur¬ 
den of inventing new and unique identifiers for each 
server site. Moreover, the user no longer has to type 
such secure identifiers every time the user returns to a 
particular server site requiring an account; instead the 
35 proxy system providesthe appropriate secure identifiers 
automatically. In an advantageous embodiment to be 
described, the proxy system filters other identifying in¬ 
formation (e.g, HTTP headers, etc.) sent by user site 
105a while browsing server sites. It is important to keep 
40 in mind that server cites cannot typically distinguish be¬ 
tween information supplied by proxy system 110a and 
information supplied by user site 105a -- central proxy 
system 110a being transparent to carver sites. 

In one embodiment, the substitute identifiers are 
45 iransmitted on demand from servers, without any inter¬ 
vention from the user. This process automates the re¬ 
sponse to a "basic authentication request," which is a 
common procedure used by servers to identify users on 
the World Wide Web. In Ihis way, the user is not bur- 
so dened by this activity. 

According to the illustrated embodiment, toproduce 
substitute identifiers the proxy system may suitably 
mainlain secret information (secret to at least one serv¬ 
er-site) in the form of user definable character strings. 
ss These character strings may be user defined and may 
be maintained in some conventional manner, such as 
storing the same to memory associated with the proxy 
system, or. advantageously, afunclion (described here- 
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inafter) may be used to produce the substitute identifi¬ 
ers. at least in part, in association with the secret infor¬ 
mation. According to one approach, the proxy system 
maintains a conventional data structure to maintain the 
same, 6uch as a database, data repository, an array, 
etc., or even an alias lable, that may be used to map 
user information to their substitute, or alias, identifiers. 

According to one advantageous embodiment, the 
user delivers its own secret (user definable character 
string) at the beginning of each session, which is used 
by the proxy system to generate, directly or indirectly, 
thesubstitute identifiers for the session. This option has 
the advantage that a user has the flexibility to choose 
different proxies at different times and there is no per¬ 
manent secret information stored on the proxy syslem. 
In another related embodiment, the data comprises at 
least two secret userdefinable character strings, where¬ 
in the first routine processes substitute identifiers con¬ 
structed in part from the at least two secret user defin¬ 
able character strings. Of course, alternate suilable ap¬ 
proaches may be used to accomplish the purpose of 
providing anonymous personalized web browsing ac¬ 
cording to the present invention. 

Turning now to FIGURE 2, illustrated is a block di¬ 
agram of an exemplary sub-network (generally desig¬ 
nated 200) of distributed network 100, wherein sub-net- 
work 200 includes user site 105a, central proxy system 
110a and server site 110g (shown among a plurality ol 
other illustrative server sites 11 Oof Internet 115) accord¬ 
ing to the principles ot the present invention. 

For purposes of illustration, assume that user site 
105a issues a command to access server site 1l0g(the 
NEW YORK TRIBUNE web-site (*NYT")). Such access 
would be via central proxy system (server site) 110a, 
which ensures that user specific data concerning user 
site 105a is not communicated over the remainder ol 
Internet 115 -there maybe HTTP header fields, for ex¬ 
ample, that include data about user site 105a that cen¬ 
tral proxy system 110a fillers. 

Exemplary cenlral proxy syslem 110a advanta¬ 
geously executes on a server site that is not associable 
with user site 105a by other sites over Internet 115. Ac¬ 
cording to an advantageous embodiment, central proxy 
syslem 110a may be suitably distant, both physically 
and logically, from user site 105a - user site 105a does 
not access server-sites directly because the server- 
sites can determine both physically and logically the In¬ 
ternet Protocol ("IP”) - address of the machine that 
made the request 

According to the exemplary embodiment, if usersite 
105a's command to access NYT11 Og is user site 105a's 
first request of the current session, central proxy system 
110a will recognize the same, and display its own 
HTML-document, possibly on user site 105a's browser. 

Turning momentarily to FIGURE 3, illustrated Is an 
exemplary tull screen window of a conventional browser 
300 ("NETSCAPE®') displaying an inlaid interface 305 
(“JANUS SM ") of central proxy system 110a according to 


the principles ot the present invention. Exemplary inter¬ 
lace 305 prompts a user ot 6ite 105a to enter user de¬ 
finable character strings, which according to the illus¬ 
trated embodiment includes identification (“ID") data 
s and secret (“S”) data supplied by the user. Each user 
initially supplies a user ID (e.g., e-mail address) and a 
user S to allow one or more substitute identifiers to be 
chosen or constructed (site-specific substitute identifi¬ 
ers are suitably constructed from data specific to user 
to 105a and a particular server site which user 105a in¬ 
tends tobrowse). Alternatively, otherorfurtherdatasup¬ 
plied by the user may be appropriate in some applica- 
lions (eg., credit card number, post office address, han¬ 
dle, etc). 

1S According to the advantageous embodiment, sub¬ 
stitute identifiers may be constructed (generated) using 
a suitable function that includes the features ot anonym¬ 
ity, consistency, collision resistance and uniqueness, 
protection from creation of dossiers, and single secret 
20 and acceptability. Concerning anonymity, the identity of 
the user should be kept secret; that is, a server site, or 
a coalition of sites, cannot determine the true identity of 
Ihe user from its substitute identification. Concerning 
consistency, lor each server-site, each user should be 
os provided with some substitute identifiers allowing the 
server site to recognize the user given the same, there¬ 
by enabling the server site to personalizethe user's ac¬ 
cess and the user can thus be “registered" at the server 
site. 

oo With respect to collision resistance and unique¬ 
ness, given a user's identity and a server site, a third 
party should not find a different user identity which re¬ 
sults in the same alias (impersonation) for that server 
site. As to protection from creation of dossiers, the user 
35 is likely to be assigned a distinct alias (substitute iden¬ 
tifier) for distinct server sites, so that a coalition of sites 
is unable to learn a user's habits and build a user profile 
(dossier) based on the set of sites accessed by the user. 
Lastly, single secret (user definable character string) 
*0 and acceptability provides, given the user's identity and 
a single secret, automatic generation of secure, distinct 
aliases (substitute identifier) as needed for each server- 
site, transparent to the user - from the user's perspec¬ 
tive, the U3er definable character string is equivalent to 
45 a universal password for a collection of server-sites. 

According to this embodiment, a user ID is "corrupt* 
(not secret) il an adversary (one or more server sites 
desirous of identifying the user), E. has been able to 
read the user's secret, S. Alternatively, a user ID is “par- 
50 tially opened’ (not fully secure) with respect to a partic¬ 
ular server site, w, if Ehas been able to read the alias 
password; a user ID is “opened" (not secure) with re¬ 
spect to w, if it is partially opened and E has been able 
to relate the alias password together with the alias user 
55 name to the user ID. Assuming that the function, T(), is 
defined as follows, TJuser ID, web-site (“w"), S) = (sub¬ 
stitute username, passwords), hence, T(id, iv, S) = (Uw, 
Pv v); and Tu(id,w,S) = L/tvand Tp(id,w,S) = Pw. 


6 



I. 


11 


EP 0 855 659 A1 


12 


Tu (id, w, S) - Uw= h(enc(k,id, f(s t ,w))j 


and 

s 


Tp(id,w,S) = Pw= h(enc(k,id, f(s s ,w))), 


wherein 

id 

w 

// 

S 

xor 

l(kx) 


enc(k,x,r) 

W 

des(k,i,x) 


TO 

denotes user site 105a's ID | e.g., e-mail 
address); 

denotes server site 1 log's domain 
name; 

denotes Ihe logical function of concate- is 
nation: 

denotes k//s//s 2 , a user site 105a delln- 
able character string; 
denotes the Boolean funclion of exclu¬ 
sive or, 20 

denotes a suitably arranged function for 
generating pseudo-random values, and 
may be selected from a group of func¬ 
tions, such as des(k,h(x),x); 
denotes r//(f(k,r)xor x); 25 

denotes a collision-resistant hash func¬ 
tion, such as MD5; and 
denotes DES encryption in cipher block 
chaining fCBC") mode, which are 
known, of information x using key k and 30 
an initialization vector i. 


Both Tu() and TpQ may suitably truncate the result of 
the hashing function, h(), to fit the longest allowed user 
name or password for the particular server site. 35 

Relating this function, TQ, to the above-identified 
and described features yields the following: 


1. £ can only guess at the identity, ID, ol a user 

which is only partially opened and uncorrupted. 40 

2. TQ is a deterministic function and E can only 
guess at the alias-password of a user which is un¬ 
opened and uncorrupted. 

3. Given wand an uncorrupted and unopened user 

ID, E can only guess at the ID and S. 45 

4. For an uncorrupted user ID and w, T(id,w,S) does 
not give to £ information about T(id,w',S) lor any w' 
not equal to w. 

5. The range of T(id,w,S)\s such that it is accepted 

by server sites as a valid username and password so 
-- implying a limited length string of printable char¬ 
acters. 


Those skilled in the pertinent art will understand that al¬ 
ternate suitable functions may rep lace or be used in as - ss 
60 ciatton with the foregoing according to the principles 
of the present invention. 

Use of the foregoing exemplary substitute identifier 


constructing function, and for that matter, any other suit¬ 
ably arranged function for constructing substitute iden- 
lifiers according lo the present invention, operates to 
foster the above-identified features of anonymyzed and 
personalized browsing. The present invention provides 
the ability to anonymously visit a server site a first time 
via site-specific substitute identifiers, to interact with the 
server site as a function theraot, and to re-visit the serv¬ 
er site on subsequent occasions using the same site- 
specific substitute identifiers, interacting with the server 
site as a return customer -- possibly receiving person¬ 
alized attention -- as a function of the recognized sub¬ 
stitute identifiers. Simply stated, the substitute identifi¬ 
ers are constructed consistently and in advantageous 
embodiments in a site-specific manner. 

In one embodiment of the present invention, the 
substitute identifiers include site-specific substitute user 
names and site-specific substitute user passwords. 
’Site-specific" means that the names and passwords 
vary from site to site, depending perhaps upon the ad¬ 
dress of each site. This may complicate the task of cre¬ 
ating a dossier relative to a given user. In a related em¬ 
bodiment, the first routine constructs site-specific sub¬ 
stitute e-mail addresses for user site 105a from the site- 
specific data. In an alternate advantageous embodi¬ 
ment, the first routine constructs thB site-specific sub¬ 
stitute identifiers from addresses of the server sites - of 
course, site-specific information other than the address 
of the site may be used to construct the substitute iden¬ 
tifiers. 

If this is the first contact ol the user with central 
proxy system 110a, then the user may suitably generate 
a user defined character string (secret) at random and 
store Ihe same locally. In one advantageous embodi¬ 
ment, the first routine processes substitute identifiers 
that may be constructed by applying pseudo-random 
and hash functions (e.g., T() function set forth herein¬ 
above) to the data received from user site 105a - those 
skilled in the art are familiar with the structure and op¬ 
eration of pseudo-random and hash functions and their 
utility. The important aspect of this and related embod¬ 
iments is that the present invention is adapted to take 
advantage of currenl and later-discovered functions to 
enhance anonymity and security. 

Alternatively, if this is the first contact of a current 
session then the user may suilably enclose the stored 
user defined character string to central proxy system 
110a. Nonetheless, browser 300 sends interface 305 to¬ 
gether with a user's ID and other user definable charac¬ 
ter string to central proxy system 110a. Central proxy 
system 110a receives this information and may use the 
same for the rest of the session. 

In one advantageous embodiment, the first routins 
receives or generates session tags thal are added to the 
browsing commands, cenlral proxy site 110a employing 
Ihe session tags to associate the substitute identifiers 
with each of the browsing commands -- the session 
tags, while not necessary to the present invention, pro- 
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vide one manner that allows user sites 105a to supply 
their data only once, usually at the beginning of each 
session. In a related advantageous embodiment, cen¬ 
tral proxy site 110a includes a data store that is capable 
of containing Bession information specific to user sites 
105a and accessible by server sites 110g. 

In ona advantageous embodiment, the second rou¬ 
tine described above, which may be local to the central 
proxy system 110a, transmits the substitute identifiers 
to server site llOg. In a further advantageous embodi¬ 
ment, the second routine transmits the substitute iden¬ 
tifiers to server site 110g based on alphanumeric codes 
supplied in fields of web-pages 305 by the users. The 
alphanumeric codes prompt the second routine as to 
how and where to locate the substitute identifiers, re¬ 
moving the users from actually having to provide the 
substitute identitiers directly. Of course, the alphanu¬ 
meric codes may be supplied in a different form In a 
related, more specific embodiment, the users manually 
place the alphanumeric codes In the fields of web-pages 
305. Of course, the present invention encompasses in¬ 
telligent parsing of the Helds ot web pages 305 to deter¬ 
mine automatically how and where the alphanumeric 
codes should be located. Those skilled in the art are fa¬ 
miliar with Ihe Internet in general, the World Wide Web 
in particular and the way in which the structure of the 
World Wide Web promotes ’browsing." The present in¬ 
vention finds apparent utility in conjunction with the In¬ 
ternet and the World Wide Web, however, those skilled 
in the art will readily understand that the present inven¬ 
tion has advantageous application outside of the Inter¬ 
net as well in any suitably arranged computer, commu¬ 
nications, multimedia or like network configuration. 

Nonetheless, after central proxy system 110a ob¬ 
tains the required information about the user, the above- 
described third routine removes portions of the browsing 
commands that would identify user site 105a to server 
site 110g, and forwards user site 105a's original request 
for access to NYT-site llOg (e.g., using an HTTP get- 
request) - thereby selectively excluding from the re¬ 
quest header-fields or the like thal may identity the user. 

If this is the user's first visit to NYT-site 1 lOg, then 
it may suitably provide the user with an electronic form 
prompting, for example, for a user name, a password 
and an e-mail address in order to establish an account. 
Turning momentarily to FIGURE 4, illustrated is exem¬ 
plary full screen window of conventional NETSCAPE® 
browser 300 displaying an inlaid interface 400 (’THE 
NEW YORK TRIBUNE") of server site 11 Og according 
to the principles of the present invention. 

Now, inslead of having to provide a unique user 
name and a secret password, the user may suitably pro¬ 
vide these fields with simple escape strings (e.g., "<uu- 
uu>’ and , <pppp>"). More specifically, the alphanumeric 
codes above-described may be suitably arranged Into 
such escape sequences -- those skilled in the art are 
familiar with escape sequences. These strings are rec¬ 
ognized by central proxy site 110a which uses user site 


105a's user name and secrel (user definable character 
string) along with the domain-name of the NEW YORK 
TRIBUNE and computes substitute identifiers (e.g., ali¬ 
as user name. u3, and alias password, p3, in FIGURE 
5 2, etc ), such as by function 7(70, secret, domain-name). 

The site-specific substitute identifiers may be sent to a 
particularservar site by central proxy system 110a using 
Ihe same mechanism that the user would submit input 
to the particular server site. In other words, proxy system 
io iiOa receives information communications, such as 
browsing commands, from user site 105a intended tor 
server site 110g, and retransmits the same to server site 
110 g - central proxy system 110a functioning as a trans¬ 
parent conduit for anonymizing and, through consistent 
is generation of site-specific substitute identitiers, person¬ 
alizing server site browsing. 

On a subsequent visit to NYT-site 110g, which will 
require that user site 105a authenticate itself (response 
to the first get-request forwarded to NYT-site 110g by 
central proxy system 110a), central proxy system 110a 
may be suitably operative to automatically recompute 
u3 and p3 and reply by sending these values back to 
NYT-site 11 Og (re-sending the gel-request). User site 
105a is thereby freed from the burden of remembering 
Ihe user name and password of its NYT-site 110g ac¬ 
count. To summarize, the protocol, which may be suita¬ 
bly executed without Involving user site 105a, includes: 
(1) a step of NYT-site server 1 lOg requesting an authen¬ 
tication from central proxy site 110a by failing ihe first 
get request; (2) central proxy site 110a recomputing the 
substitute identifiers (e.g., (alias-user name, alias-pass- 
word) = T(ID, secret, domain-name), or the like); (3)cen- 
tral proxy site 110a replying by re-sending the get with 
the same substitute identifiers. 

The substitute identifiers are consistent in the 6ense 
that the substitute identifiers are presented on subse¬ 
quent visits to the same server sile by user 105a. Con¬ 
sistent substitute identifiers allow server sites to recog¬ 
nize returning users and provide personalized service 
to them. In one embodiment, the second routine trans¬ 
mits the substitute identifiers on demand from servers, 
without any intervention from user 105a. This process 
automates the response 1o a "basic authentication re¬ 
quest," which is a common procedure used by servers 
to idenlify users 105a on the World Wide Web. In this 
way, user 105a is not burdened by this activity. In this 
embodiment, the second routine may have to re-trans- 
mit the original user request along with the substitute 
identifier to the server. 

It should be notedthat many servers require a valid 
e-mail address for creating an accounl - users cannot 
use their true e-mail address tar this purpose since it 
uniquely identifies Ihem. The proxy system ot the 
present invention may suitably solve this problem by 
creating an alias e-mail address for user site 105a and 
store e-mail in an electronic mailbox. In one advanta¬ 
geous embodiment, central proxy system 110a includes 
a data store capable of containing e-mail destined for 
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the users, thereby preventing server sites from contact¬ 
ing users directly. Contrary to prior art anonymous re¬ 
mailers, the present embodiment is not required to rely 
on having to store any translation tables (which may be 
large and vulnerable) from alias to true user identifiers 
in central proxy system 110a. This embodiment is inher¬ 
ently securer than prior art approaches as central proxy 
system 110a is not required to maintain and protect a 
translation table and cannot be forced to reveal the con¬ 
tents of any such table to a third party. 

In an alternate advantageous embodiment, central 
proxy system 105afurther includes adata store capable 
of containing e-mailboxes tor the users and specific to 
the server sites. According to this embodiment, each us¬ 
er has a mailbox for each site that has generated mail 
destined for the user. Rather than compromising secu¬ 
rity by allowing automatic remailing to the user, the 
present embodiment may 6tore e-mail for explicit re¬ 
trieval by each user. 

For each server, it may be advantageous for users 
tohavea separate e-mail box, possibly identified by us¬ 
er-substitute identifiers. This approach may allow for 
suitable disposal of e-mail messages received from ihe 
third-parties {e.g., "junk e-mail') as well as the option ot 
selective disposal of e-mail messages. 

In one advaniageous embodiment each ot e-mail- 
boxes has a key associated therewith, the key being a 
function of the data and an index number. The use of 
keys with e-mailboxes is known. In another advanta¬ 
geous embodiment, central proxy system 110a further 
comprises a computer-executable routine that, given 
the substitute identifiers, collects e-mail destined for the 
users and contained within a plurality of site-specific e- 
mailboxes. This embodiment may suitably employ a 
mail-collecting routine that automatically locates user 
sits 105a's various mailboxes and retrieves the mail 
therefrom once the user ha6 supplied the appropriate 
data. 

According to one advantageous embodiment, cen¬ 
tral proxy eystem 110a includes functionality necessary 
to support electronic payment, the users employ elec¬ 
tronic payment information lo engage in anonymous 
commerce with the server sites. To facilitate the same, 
central proxy system 110a may include a data store ca¬ 
pable of containing such electronic payment informa¬ 
tion. Further, substitute identifiers may be constructed, 
at least in part, U3ing credit/debit card numbers, bank 
branch or accounl numbers, postal addresses, tele¬ 
phone numbers, lax identification numbers, social se¬ 
curity numbers or the like. Various methods for achiev¬ 
ing anonymous commerce are known. 

By way of further example, an ever increasing 
number ot sites require a valid credit card number as 
part of establishing an account, so that such sites may 
charge the user forthelr services (e.g., WALL STREET 
JOURNAL®, ESPN®, etc.). While the above-described 
proxy system provides substitute identifiers to free users 
from remembering these itemsand by providing a guard 


on (involuntary) data flowing to the web-site, it may not 
provide complete anonymity to a user who has provided 
a credit card number to a site. One solution, described 
briefly above, requires central proxy system UOalopro- 
5 vide its own valid credit card number to the requesting 
site and then collect money from its users. If central 
proxy system 105a is incorporated into an Internet pro¬ 
vider, for example, such as AMERICA ONLINE®, then 
this relationship may already exist, 
to Alternatively, central proxy system 110a may be 
known and trusted by other sites, thereby allowing cen¬ 
tral proxy system 110a to generate an alias credit card 
number and expiration date, and then to authenticate 
this data and send it to a requesting site. The site can 
1S then check that this number indeed orig inates from cen¬ 
tral proxy system 110a and hence accepts the same as 
valid, with the understanding that it can collect the mon¬ 
ey from central proxy system 110a. There no longer is 
a need tosend a 'real" credit card number between cen¬ 
tral proxy system 110a and the sites. 

It is important to realize that the various features 
and aspects ot the embodiments above-described may 
also be suitably implemented in accordance with the pe¬ 
ripheral proxy system described with reference to FIG¬ 
URE 1. More particularly, turning momentarily to FIG¬ 
URE 5, there is illustrated a block diagram of an exem¬ 
plary sub-network (generally designated 500) of the dis¬ 
tributed network ot FIGURE 1 showing a peripheral 
proxy system 120 that includes each of user site 105a, 
central proxy system 110a and NYT-site 110g (shown 
among a plurality ot other illustrative server sites 110 of 
Internet 115) according to the principles ol the present 
invention. 

Peripheral proxy system 120, assetforth above, in¬ 
cludes first and second executable routines. The first 
routine, which advaniageausly resides in usersite 105a, 
constructs substitute identifiers from data particular to 
user site 105a. The second routine, which also illustra¬ 
tively resides in usersite 105a, transmits the substitute 
identifiers to central proxy system 110a. Central proxy 
system 110a then retransmits the substitute identifiers 
lo server site 1 lOg and thereafter communicates [e.g.. 
transmits, receives, etc.) information (e.gr., browsing 
commands, data, etc.) between usersite I05atoaerver 
site 11 Og. This second configuration is particularly ad¬ 
vantageous when users may nottrustcentral proxy sys¬ 
tem 110aorthe communication lines therebetween, and 
want to keep user identifications and other secret infor¬ 
mation secure. 

A local proxy system 510 may be used to maintain 
the same, and may use the user's identification and olh- 
er information to compute the substitute identifiers. Lo¬ 
cal proxy system 510 communicates with a central proxy 
system 110a, which may be used to forward communi¬ 
cation to servers and handle e-mail. In one embodiment, 
central proxy system 110a communicates with compu¬ 
ter-executable local routines associated with the users, 
the local routines constructing the site-specific substi- 
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tute identifiers from data specific to the users. Again, 
central proxy system 110a may rely on distributed rou¬ 
tines, local to each user, that generate the substitute 
identifiers and transmit the same to central proxy system 
110 a 

Turning now lo FIGURE 6, illustrated is a block di¬ 
agram of an exemplary sub-network (generally desig¬ 
nated BOO) of the distributed network 100 including each 
of user site 105a, central proxy system 110a and a plu¬ 
rality Of illustrative server sites 110b, 110c, and 1l0g ac¬ 
cording to an exemplary marker proxy embodiment of 
the present invention. As described above, the central 
proxy system of the present invention may be employed 
in at least two configurations, namely, a central proxy 
configuration (FIGURE 2) or a peripheral proxy config¬ 
uration (FIGURE 5). 

In the central proxy configuration, central proxy sys¬ 
tem 110a computes substitute identifiers. An implemen¬ 
tation of this configuration may require user site 105a to 
provide one or more user definable character strings (a 
g., user identification, password and other secret infor¬ 
mation) once, and central proxy system 110a will there¬ 
after generate the substitute identifiers as needed. Cen¬ 
tral proxy system 110a may associate the user definable 
character strings with a series of HTTP requests gener¬ 
ated by the same user site 105a-the central proxy sys¬ 
tem 110a may associate each request with a session, 
that contains all communication between a specific user 
site 105a and the central proxy system 110a. 

The HTTP protocol however does not generally di¬ 
rectly support sessions or relationships between re¬ 
quests. More particularly, each HTTP request may be 
sent a new socket connection, and there is no required 
HTTP header field that can link successive requests 
from the same user. 

It should be noted that the session identification is 
typically not necessary in the peripheral proxy configu¬ 
ration since central proxy system 110a may forward 
communications without any computation. In a typical 
embodiment, peripheral proxy system 120 retransmits 
browsing commands received from user site 105a to 
central proxy system 110a, which then relransmits such 
commands to server site 110g. According to one em¬ 
bodiment, peripheral proxy system 120 removes and, 
possibly, substitutes portions of the browsing com¬ 
mands that would identify user site 105a to server site 
110 g. 

In one advantageous embodiment user site 105a 
runs a marker program 605 locally. Marker program 605 
operates to tag user site 105a's requests with a session 
tag, t Central proxy system 110a uses this tag lo identity 
requests belonging to a particular one of a group ol us¬ 
ers. Marker program 605 may be implemented to store 
user site 105a's session tag and add this tag to all re¬ 
quests. and central proxy system 110a removesthe ses¬ 
sion tag before forwarding Ihe request to some server 
site. The session lag should be unique, as no two users 
should have the same tag. 


It should be noted that NETSCAPE® uses 'cookies, 

' which are a mechanism for storing and retrieving long 
term session information (the use of ‘cookies" concep¬ 
tually is known). The cookies are generated by the 
5 browsed servers and are associated with a specific do¬ 
main name. Browsers 300 submit the cookies associat¬ 
ed with a spacific domain name whenever the user re¬ 
visits that domain. Servers typically only generate cook¬ 
ies associated with their domain. Cookies provide an 
easy mechanism to keep session information, such as 
the contents of a 'shopping cart," account name, pass¬ 
word, event counters, user preferences, etc. 

Some companies, use cookies extensively lo track 
users and their habits. Since the proxy systems of the 
present invention present substitute identifiers to 
browsed servers, the servers cannot learn true user 
identities. Thus all of the informalion that the server may 
store in its cookie relates to some "alias persona,’ and 
not to the true user. Whenever the user returns to the 
same server, it will present the same substitute identifi¬ 
ers, and may also submit the cookie lhal the server gen¬ 
erated earlier for this alias persona. 

It is apparent from above, that the present invention 
provides, for use with a network having user sites and 
serversites, wherein the server sites are capable of be¬ 
ing browsed by the user sites based on identifiers re¬ 
ceived into the server sites and personal to the user 
sites, both a central and a peripheral proxy system lor 
providing consistent substitute identifiers to the server 
sites that allow the user sites to browse the server sites 
in an anonymous and personal tashion via the proxy 
system. 

An exemplary central proxy system includes: (1) an 
executable first routine that processes site-specific sub¬ 
stitute identifiers constructed from data specific to the 
user sites, (2) an executable second routine that trans¬ 
mits the substitute identifiers to the server sites and 
thereafter relransmits browsing commands received 
Irom the user sites to the server sites and (3) an execut¬ 
able third routine that removes (and possibly substi¬ 
tutes) portions of the browsing commands that would 
identify the user sites to the server sites. 

An exemplary peripheral proxy system includes: (1) 
an executable first routine that constructs a particular 
substitute identifier from data received from a particular 
user site and (2) an executable second routine that 
transmits the particular substitute identifier to a central 
proxy system, the central proxy system then retransmit¬ 
ting the particular substitute identifier to the server site 
and thereafter retransmitting browsing commands re¬ 
ceived from the particular user site to the server site. 

Although the present invention has been described 
in detail, those skilled in the arl should understand that 
Iheycan makevariouschanges, substitutions and alter¬ 
ations hereh without departing from the scope of the 
invention in its broadest form. More particularly, it should 
be apparent lo those skilled in the pertinent art that the 
above-described routines are software-based and exe- 
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cutable by a suitable conventional computer system/ 
network. Alternate embodiments of the present inven¬ 
tion may also be suitably implemented, at least in part, 
in firmware or hardware, or some suitable combination 
of at least two of the three. Such firmware-or hardware 
embodiments may include multi, parallel and distributed 
processing environments or configurations, as wall as 
alternate programmable logic devices, such as pro¬ 
grammable array logic ("PALs") and programmable log¬ 
ic arrays ("PLAs”), digital signal processors ("DSPs"), 
field programmable gate arrays (“FPGAs’), application 
specific integrated circuits ("ASICs’), large scale inte¬ 
grated circuits ("LSIs'), very large scale integrated cir¬ 
cuits ('VLSIs") or the like - to form the various types ol 
modules, circuitry, controllers, routines and systems de¬ 
scribed and claimed herein. 

Conventional computer system architecture is more 
fully discussed in The Indispensable PC Hardware 
Book, by Hans-Peter Messmer, Addison Wesley (2nd 
ed. 1995) and Computer Organization and Architecture, 
by William Stallings, MacMillan Publishing Co. (3rd ed. 
1993); conventional computer, or communications, net¬ 
work design is mors fully discussed in Data Network De¬ 
sign, by Darren L. Spohn, McGraw-Hill, Inc. (1993); and 
conventional data communications is more fully dis¬ 
cussed in Voice and Data Communications Handbook, 
by Bud Bates and Donald Gregory, McGraw-Hill, Inc. 
(1996). Data Communications Principles, by R. D. Gitlin, 
J. F. Hayes and S. B. Weinstein, Plenum Press (1992) 
and The Irwin Handbook ol Telecommunications, by 
James Harry Green, Irwin Professional Publishing (2nd 
ed. 1992). 


Claims 

1. Acentral proxy6ystemforcouplingtoanetworkand 
for allowing users to browse server sites on said 
network anonymously via said central proxy sys¬ 
tem, said central proxy system comprising: 

a computer-executable lirst routine that proc¬ 
esses site-specific substitute identifiers con¬ 
structed from data specific to said users; 
a computer-executable second routine that 
transmits said substitute ident ifiers to said serv¬ 
er sites and thereafter retransmits browsing 
commands received from said users to said 
server sites; and 

a computer-executable third routine that re¬ 
moves portions of said browsing commands 
that would identify said users to said server 
sites. 

2. The central proxy system as recited in Claim 1 
wherein said data comprises identification data and 
a user definable character string supplied by said 
users. 


3. The central proxy system as recited in Claim 1 
wherein said site-specific substitute identifiers com¬ 
prise site-specific substitute user names and site- 
specific substitute user passwords. 

s 

4. The central proxy system as recited in Claim 1 
wherein said first routine constructs site-specific 
substitute electronic mail addresses for said users 
from said data. 

10 

5. The central proxy system as recited in Claim 1 
wherein said first routine constructs said site-spe¬ 
cific substitute identifiers from addresses of said 
server sites. 

is 

6. The central proxy system as recited in Claim 1 

wherein said server sites are World Wide Web sites 
capable ol presenting web pages to said users, said 
second routine transmitting said substitute identifi¬ 
ed ers to said server sites underdirection of said users. 

7. The central proxy system as recited in Claim 1 
wherein said second routine transmits said substi¬ 
tute identifiers to said server eites based on alpha¬ 
's numeric codes supplied in web page fields by said 

users. 

8 . The central proxy system as recited in Claim 7 
wherein said alphanumeric codes are arranged in 

30 escape sequences. 

9. The central proxy system as recited in Claim 7 
wherein said users manually place said alphanu¬ 
meric codes in said web page fields. 

35 

10. The central proxy system as recited in Claim 9 
wherein said central proxy system communicates 
with computer-executable local routines associated 
with said users, said local routines constructing said 

40 site-specific substitute identifiers from data specific 

to said users. 

11. The central proxy system as recited in Claim 1 fur¬ 
ther comprising a data store capable of containing 

45 electronic mail destined for said users. 

12. The central proxy system as recited in Claim 1 
wherein said first routine processes substitute iden¬ 
tifiers constructed by applying pseudo-random and 

50 hash functions to said data received from said us¬ 
ers. 

13. The central proxy system as recited in Claim 1 fur¬ 
ther comprising a data store capable of containing 

55 electronic mailboxes (or said users and specific to 
said server sites. 

14. The cenlral proxy system as recited in Claim 13 
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wherein each of said electronic mailboxes has a key 
associated therewith, said key being a function of 
said data and an index number. 

15. The central proxy system as recited in Claim 1 fur¬ 
ther comprising a computer-executable routine 
that, given said substitute identifiers, collects elec¬ 
tronic mail destined for said users and contained 
within a plurality of site-specific electronic mailbox¬ 
es. 

16. The central proxy system as recited in Claim 1 
wherein said first routine receives session tags add¬ 
ed to said browsing commands, said central proxy 
system employing said session tags to associate 
said substitute identifiers with each of said browsing 
commands. 

17. The central proxy system as recited in Claim 1 fur¬ 
ther comprising a dala store capable of containing 
session information specific to said users and ac¬ 
cessible by said server sites. 

18. The central proxy system as recited in Claim 1 fur¬ 
ther comprising a data store capable of containing 
electronic paymenl information, said users employ¬ 
ing said electronic paymenl information to engage 
in anonymous commerce with said server sites. 

19. The central proxy system as recited in Claim 1 fur¬ 
ther comprising an initializing routine that con¬ 
structs said site-specific substitute identifiers from 
data specific to said users and communicates said 
site-specific substitute identifiers to said first rou¬ 
tine. 

20. A peripheral proxy system tor coupling to a network 
and for allowing at least one user to browse a server 
site on said network anonymously via a cenlral 
proxy system, said peripheral proxy system com¬ 
prising: 

a computer-executable first routine that con¬ 
structs a particular substitute identifier trom da¬ 
ta received from a particular user; and 
a computer-executable second routine that 
transmits said particular substitute identifier to 
said central proxy system, said central proxy 
system retransmitting said particular substitute 
identifier to said server site and thereafter re¬ 
transmitting browsing commands received 
from said particular user to said server site. 

21. The peripheral proxy system as recited in Claim 20 
wherein said data comprises identification data and 
a user definable character string supplied by said 
particular user. 


22. The peripheral proxy system as recited in Claim 20 
wherein said particularsubstitute identifier compris¬ 
es a particularsubstitute username and a particular 
substitute user password. 

s 

23. The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs a particular 
substitute electronic mail address for said particular 
user from said data. 

w 

24. The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs said particular 
substitute identifier from an address of said server 
site, said particular substitute identifier therefore 

is being specific to said server site. 

25. The peripheral proxy system as recited in Claim 20 
wherein said server site is a World Wide Web site 
capable ot presenting at least one web page to said 

zo users, said central proxy system transmitting said 
particular substitute identifier to said server site un¬ 
der direction of said particular user. 

26. The peripheral proxy system as recited in Claim 20 
os wherein said central proxy system said particular 

substitute identifier to said server site based on al¬ 
phanumeric codes supplied in web page fields by 
said user. 

oo 27. The peripheral proxy system as recited in Claim 26 
wherein said alphanumeric codes are arranged in 
escape sequences. 

28. The peripheral proxy system as reciled in Claim 20 
os wherein said central proxy system further compris¬ 
es a computer-executable third routine that re¬ 
moves portions of said browsing commands that 
would identify said particular user to said server 
site. 

40 

29. The peripheral proxy system as reciled in Claim 28 
wherein said first and second routines are execut¬ 
able on a computer system associated with said 
particular user and said central proxy system is a 

is computer system having a network address differ¬ 
ent from said computersystem associated with said 
particular user. 

30. The peripheral proxy system as reciled in Claim 20 
so wherein said central proxy system further compris¬ 
es a data store capable of containing electronic mail 
destined for said particular user. 

31. The peripheral proxy system as recited in Claim 20 
ss wherein said first routine constructs said particular 

substitute identifier by applying pseudo-random 
and hash functions to said data received from said 
particular user. 
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32. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system turther compris¬ 
es a data store capable of containing an electronic 
mailbox for said particular user and specific to said 
server site. 

33. The peripheral proxy system as recited in Claim 32 
wherein said electronic mailbox has a key associ¬ 
ated therewith, said key being afunction of said da¬ 
ta and an index number. 

34. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system lurther compris¬ 
es a computer-executable routine that, given said 
particular substitute identifier, collects electronic 
mail destined for said particular user and contained 
within at least two electronic mailboxes. 

35. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system lurther compris¬ 
es a computer-executable marker routine that adds 
session tags to said browsing commands, said 
proxy system employing said session tags to asso¬ 
ciate said particular substitute identifier with each 
of said browsing commands. 

36. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system lurther compris¬ 
es a data store capable of containing session infor¬ 
mation specific to said particular user and accessi¬ 
ble by said server site. 

37. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system turther compris¬ 
es a data store capable of containing electronic pay¬ 
ment information, said particular user employing 
said electronic payment information to engage in 
anonymous commerce with said server site. 

38. A method tor use with a network having a server 
site capable of being browsed by users and for al¬ 
lowing said userstobrowsesaidserversiteon said 
network anonymously via said proxy system, said 
method comprising the steps of: 

constructing a particular substitute identifier 
from data received from a particular user; 
transmitting said particular substitute identifier 
to said server site; and 

thereafter retransmitting browsing commands 
received from said particular user to said server 
site. 

39. The method as recited in Claim 38 wherein said da¬ 
ta comprises identification data and a user defina¬ 
ble character string supplied by said particular user. 

40. The method as recited in Claim 38 wherein said par¬ 


ticular substitute identifier comprises a particular 
substitute user name and a particular substitute us¬ 
er password. 

5 41. The method as recited in Claim 38 further compris¬ 

ing the step of constructing a particular substitute 
electronic mail address for said particular user from 
said data. 

io 42. The method as recited in Claim 38 wherein said 
step of constructing comprises the step of con¬ 
structing said particular substitute identifier from an 
address of said serversite, said particularsubstitute 
identifier therefore being specific to said server site. 

is 

43. The method as recited in Claim 38 wherein said 
server site is a World Wide Web site capable of pre¬ 
senting at least one web page to said users, said 
method further comprising the step of transmitting 

20 said particularsubstitute identifier to said serversite 
under direction of said particular user. 

44. The method as recited in Claim 38 wherein said 
step of transmitting comprises the step of transmil- 

25 ting said particular substitute identifier to said server 

site based on alphanumeric codes supplied in web 
page fields by said user. 

45. The method as recited in Claim 44 wherein said al¬ 
so phanumeric codes are arranged in escape se¬ 
quences. 

46. The method as recited in Claim 3B further compris¬ 
ing the step of removing portions of said browsing 

05 commands that would identify said particular user 
to said server site. 

47. The method as recited in Claim 46 wherein said 
step of constructing is pertormed on a compuler 

40 system associated with said particular user and 
said steps of transmitting and thereafter transmit¬ 
ting are performed on a computer system having a 
network address different Irom said computer sys¬ 
tem associated with said particular user. 

45 

48. The method as recited in Claim 38 further compris¬ 
ing the step of storing electronic mail destined tor 
said particular user. 

50 49. The method as recited in Claim 38 wherein said 
step of constructing comprises the step of applying 
pseudo-random and hash functions to said dala re¬ 
ceived from said particular user. 

5s so. The method as recited in Claim 38 further compris¬ 
ing the step of creating an electronic mailbox tor 
said particular user and specific to said server site. 
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51. The method as recited in Claim 50 wherein said 
electronic mailbox has a key associated therewith, 
said key being a function of said data and an index 
number. 

s 

52. The method as recited in Claim 38 further compris¬ 

ing the step ol collecting electronic mail destined for 
said particular user and contained within at least 
two electronic mailboxes given said particular sub¬ 
stitute identifier. re 

53. The method as recited in Claim 38 further compris¬ 
ing the step ot adding session tags to said browsing 
commands, said proxy system employing said ses¬ 
sion tags to associate said particular substitute 1S 
identifier with each ot said browsing commands. 

54. The method as recited in Claim 38 further compris¬ 
ing the step of storing session information specific 

to said particular user and accessible by said server 20 
site. 

55. The method as recited in Claim 38 further compris¬ 
ing the step of storing electronic payment informa¬ 
tion, said particular user employing said electronic ss 
payment information to engage in anonymous com¬ 
merce with said server site. 
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Welcome to Janus! 

] Janus is a system for personalized anonymous Web access. 

Janus generates consistent untraceable aliases for you from the 
information you provide in this page. Janus neither stores this 
information nor passes it to any server. Consequentially, Janus does 
not authenticate vou. You must provide the same information in future 
sessions to generate the same aliases. 

You will see Lhis form only once at the beginning of the session. You 
cannot change the input tp Janus during the rest of your session, 
unless Janus detects that it fails to authenticate ycu. 

The pair <user name, alias-seed> should be unique among all Janus users. You can use your 
E-mail address as your name to reduce chance of collision with other users. Janus will not pass 
your name to any server. Maximal size for user name and seeds is 1000 characters each! 

Enter your user name (use your E-mail address): 


Enter your secret must contain at least 8 characters): 


Verily your secret by typing it again; 


I submit I I Reset 


Click hire for more information about Janus. 
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Netscape: Registration 
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The New York Tribune 

Registration 

Welcome to The Kew York Tribune on the Web. If vou're visaing us 
for the. fust time, please register now by ailing out the form below. 
There is currently no charge for U.S. residents to subscribe to our 
site, but we are requiring registration, which is a cne-time only 
process. 

If you have already registered, continue to the home pag e. If 
you've registered, out are having problems entering trie ate, 
consult our help section . 

Choose a Subscriber ID for The Hew York Tribune on the 
Web; 


<OOQO> 


Choose a password; 


Minimum five characters 


Minimum five characters 


Re-enter password for confirmation: 


Enter your e-mail address; 


l<cmna> 
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